Jump to content


OSX Firewall Gurus, please help


  • Please log in to reply
10 replies to this topic

#1 Frigidman™

Frigidman™

    Eye Sea Yew

  • Admin
  • 4265 posts
  • Steam ID:frigidman
  • Location:East mahn, East!
  • Pro Member:Yes

Posted 21 April 2015 - 10:38 AM

So, I deal with accessing some remote machines a lot for odd jobs and work, and a few are actual OSX machines accessed via VNC.

One thing I noticed on one of them, is that the console is spewing:

4/21/15 11:27:30.324 AM sshd[48791]: error: PAM: authentication error for root from w.x.y.z via 1.2.3.4

I blanked out the real IP's to protect both the attacker, and the host. I see these spews a LOT lately, and when they begin its a new IP, but lasts for about 15 minutes spans. Then stops for about an hour, then picks up again. Clearly this is an attack on sshd.

Now, on a linux server I know how to deal with that, as I run a log scan script that blacklists the IP at the door using iptables. However in OSX land, I'm like totally clueless what to do. Is there anyone out there who has or knows of a nice app/firewall script (preferably free to use) that notices these sorts of obvious attacks, and drops the ip?

See, no one who USES the machine would ever cause that many ssh login errors (heck, not any, since everyone uses VNC)... so this wouldn't be a bad thing.

Anyone gots some idears?

-Fm [1oM7]
"I'm not incorruptible, I am so corrupt nothing you can offer me is tempting." - Alfred Bester


#2 macdude22

macdude22

    Like, totally awesome.

  • Forum Moderators
  • PipPipPipPipPipPip
  • 2045 posts
  • Steam Name:Rakden
  • Location:Iowa
  • Pro Member:Yes

Posted 21 April 2015 - 10:43 AM

http://www.murusfirewall.com will help you configure the firewall to a greater extent than the app stuff presented in System Preferences.
IMG Discord Server | http://raptr.com/rakden | http://www.trueachie....com/Rakden.htm
Enterprise (MacPro 3,1): 8 Xeon Cores @ 2.8 GHz || 14 GB RAM || Radeon 4870 || 480GB Crucial M500 + 2TB WD Black (Fusion Drive) || 144hz Asus Mon
Defiant (MacBookPro 9,1): Core i7 @ 2.3ghz || 8GB RAM || nVidia GT 650M 512MB || 512GB Toshiba SSD

#3 Frigidman™

Frigidman™

    Eye Sea Yew

  • Admin
  • 4265 posts
  • Steam ID:frigidman
  • Location:East mahn, East!
  • Pro Member:Yes

Posted 21 April 2015 - 10:54 AM

Wow that website is hella annoying with its fade in loading of more and more stuff hahaha.

-Fm [1oM7]
"I'm not incorruptible, I am so corrupt nothing you can offer me is tempting." - Alfred Bester


#4 the Battle Cat

the Battle Cat

    Carnage Served Raw

  • Admin
  • 17429 posts
  • Location:Citadel City, Lh'owon
  • Pro Member:Yes

Posted 21 April 2015 - 12:55 PM

If your eye offends thee then pluck it out.  Don't use your thumbs, I have a spoon you can use, just a sec...  ::wipes spoon off in his armpit::  Here.
Gary Simmons
the Battle Cat

#5 MacFreek

MacFreek

    Newbie

  • Members
  • 4 posts
  • Location:Utrecht, Netherlands

Posted 21 April 2015 - 05:27 PM

View PostFrigidman™, on 21 April 2015 - 10:38 AM, said:

Now, on a linux server I know how to deal with that, as I run a log scan script that blacklists the IP at the door using iptables. However in OSX land, I'm like totally clueless what to do. Is there anyone out there who has or knows of a nice app/firewall script (preferably free to use) that notices these sorts of obvious attacks, and drops the ip?

Just a bit of background: OS X uses the pf (packet filter) firewall, developed on OpenBSD. My suggestion is to create some rules in /etc/pf.conf (preferable using an include, so you don't loose the config if an OS-update overwrites this file). I have never configured this, but a search on sshd + pf + rate gives enough hits to get you going. Good luck!

#6 DirtyHarry50

DirtyHarry50

    Special Snowflake

  • Members
  • PipPipPipPipPipPip
  • 1575 posts
  • Steam Name:DirtyHarry
  • Steam ID:dirtyharry2
  • Location:North Carolina, USA

Posted 22 April 2015 - 01:31 AM

I live in a rural area so I don't need a firewall right? I mean, nobody ever comes around here anyway.
“The time you enjoy wasting is not wasted time.” — Bertrand Russell

#7 MacFreek

MacFreek

    Newbie

  • Members
  • 4 posts
  • Location:Utrecht, Netherlands

Posted 22 April 2015 - 01:34 AM

View PostDirtyHarry50, on 22 April 2015 - 01:31 AM, said:

I live in a rural area so I don't need a firewall right? I mean, nobody ever comes around here anyway.
LOL, that's the funniest flamebait I've seen in a while :P

#8 Frigidman™

Frigidman™

    Eye Sea Yew

  • Admin
  • 4265 posts
  • Steam ID:frigidman
  • Location:East mahn, East!
  • Pro Member:Yes

Posted 22 April 2015 - 07:14 AM

Well, a firewall isn't to keep people out (or in), its to make sure flames dont burn down something else too quickly. So in a rural area, you would need more firewalls, to help keep the structure by the time any sort of firefighters can actually reach you.

-Fm [1oM7]
"I'm not incorruptible, I am so corrupt nothing you can offer me is tempting." - Alfred Bester


#9 Frigidman™

Frigidman™

    Eye Sea Yew

  • Admin
  • 4265 posts
  • Steam ID:frigidman
  • Location:East mahn, East!
  • Pro Member:Yes

Posted 22 April 2015 - 11:41 AM

Yup, all that is over my head and way more work than I'm willing to take up doing. I don't have hours and hours every day to setup something like these on external machines.

I want something simple.

I guess simple and linux/unix just dont mix. I'm asking for too much.

I looked at fail2ban, and I couldn't even figure out wtf to do with that monster of an installation steps which seemed to be more sketchy than helpful.

-Fm [1oM7]
"I'm not incorruptible, I am so corrupt nothing you can offer me is tempting." - Alfred Bester


#10 DirtyHarry50

DirtyHarry50

    Special Snowflake

  • Members
  • PipPipPipPipPipPip
  • 1575 posts
  • Steam Name:DirtyHarry
  • Steam ID:dirtyharry2
  • Location:North Carolina, USA

Posted 23 April 2015 - 07:39 PM

View PostMacFreek, on 22 April 2015 - 01:34 AM, said:

LOL, that's the funniest flamebait I've seen in a while :P

Something tells me it is time to reread, "How to Make Friends and Influence People" again, like before the mighty ban hammer makes me become one with the earth.

I promise now to leave this thread and never, ever come back!
“The time you enjoy wasting is not wasted time.” — Bertrand Russell

#11 the Battle Cat

the Battle Cat

    Carnage Served Raw

  • Admin
  • 17429 posts
  • Location:Citadel City, Lh'owon
  • Pro Member:Yes

Posted 24 April 2015 - 09:01 AM

View PostDirtyHarry50, on 23 April 2015 - 07:39 PM, said:

Something tells me it is time to reread, "How to Make Friends and Influence People" again, like before the mighty ban hammer makes me become one with the earth.

I promise now to leave this thread and never, ever come back!

Though you are being sarcastic, I should take this opportunity to say that you are doing fine.  Fun, informative, helpful... all win.  Good to have you here.
Gary Simmons
the Battle Cat